- Ten bugs were found in Copeland E2 and E3 controllers
- Copeland has published a correction with an update of the firmware
- When combined, defects can lead to remote code execution
Two COPELAND controllers, the electronic control systems used in CVC refrigerators and applications, transported nearly a dozen vulnerabilities that could have been used for the climbing of privileges and the execution of the remote code (RCE), putting thousands of companies to all kinds of risks.
Copeland E2 and E3 controllers are designed to manage temperature, energy consumption and system performance. They are commonly found in supermarkets, convenience stores and catering operations and, apparently, they are very popular in the United States.
Recently, security researchers from the Operational Technology Security Company Armis have found a total of 10 vulnerabilities and collectively appointed them Frostbyte10. They reported their results in Copeland, who published a firmware update to approach faults and mitigate potential risks.
According to the register, Copeland is present in more than 40 countries, with giants such as Kroger, Albertsons and Whole Foods, one of its customers. He declared $ 4.75 billion in revenues in 2024.
Firmware update
Among the two controllers, E2 reached the end of life in October, added the publication, but Copeland has always published an update of the firmware. Users are advised to go to the latest model – E3 – and make sure that they at least perform version 2.31F01 of the firmware.
The American Cybersecurity and Infrastructure Safety Agency (CISA) should also publish an opinion on these faults, but it was not published at the time of the press. However, Cisa said that the combination of problems “can lead to the implementation of remote code not authenticated with root privileges,” noted the register.
So far, Armis seems to be the first to discover the faults, because there is no evidence that one of them had been mistreated in the wild before. However, if companies do not distribute their devices, they will remain vulnerable to widely known and publicized defects. Many threat actors intentionally await that someone else discover faults, betting that most companies do not apply the fixes in time.
Via The register
